berbew | ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe
Size

337KB
MD5

3f4a521c65c718e7a034364cfb912d23
SHA1

00f9f42cff1747efbc9b15cac366d3631e349df9
SHA256

ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52
SHA512

437c7a7710fb0eebc440b1fedd646e1bd802cd7bf02d7dab6615ba06c3f195cba68427452177e1df173c4ce3e1fe927f72b9cde8cec8e1da967630172d6b6506
SSDEEP

3072:ocwx80ypZ9639zgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc0v:oHx8ZC3h1+fIyG5jZkCwi8J

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Calhnpgn.exeCmnpgb32.exeKmijbcpl.exeKfankifm.exeNfjjppmm.exePcbmka32.exeCjbpaf32.exePncgmkmj.exeAcjclpcf.exeAqncedbp.exeCagobalc.exeDfknkg32.exeDodbbdbb.exeKfmepi32.exeKibgmdcn.exeMelnob32.exeQmmnjfnl.exeAnogiicl.exeLdleel32.exePfjcgn32.exeAeklkchg.exeCeqnmpfo.exeDeokon32.exeCmgjgcgo.exeLenamdem.exeQdbiedpa.exeQqijje32.exeAgeolo32.exeAglemn32.exeLdanqkki.exePjmehkqk.exeBcebhoii.exeBgcknmop.exeBhhdil32.exeDmjocp32.exeebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exeNphhmj32.exeAgglboim.exeDhfajjoj.exeAminee32.exeDmefhako.exeOcbddc32.exeOfeilobp.exeKlqcioba.exeNcdgcf32.exeOjllan32.exePdfjifjo.exeDdonekbl.exeAmgapeea.exeOdkjng32.exeOjoign32.exeAnmjcieo.exeOpdghh32.exeAndqdh32.exeCfbkeh32.exeNdfqbhia.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

Processes:

Kfmepi32.exeKpeiioac.exeKmijbcpl.exeKfankifm.exeKpjcdn32.exeKibgmdcn.exeKlqcioba.exeLeihbeib.exeLdjhpl32.exeLigqhc32.exeLdleel32.exeLenamdem.exeLdoaklml.exeLepncd32.exeLdanqkki.exeLgokmgjm.exeMgagbf32.exeMmlpoqpg.exeMgddhf32.exeMeiaib32.exeMelnob32.exeMenjdbgj.exeNilcjp32.exeNcdgcf32.exeNphhmj32.exeNeeqea32.exeNdfqbhia.exeNnneknob.exeNfjjppmm.exeOdkjng32.exeOncofm32.exeOpakbi32.exeOpdghh32.exeOcbddc32.exeOjllan32.exeOcdqjceo.exeOfcmfodb.exeOjoign32.exeOfeilobp.exePnlaml32.exePdfjifjo.exePfhfan32.exePmannhhj.exePclgkb32.exePfjcgn32.exePdkcde32.exePflplnlg.exePncgmkmj.exePdmpje32.exePfolbmje.exePqdqof32.exePcbmka32.exePjmehkqk.exeQdbiedpa.exeQfcfml32.exeQmmnjfnl.exeQqijje32.exeQgcbgo32.exeAnmjcieo.exeAqkgpedc.exeAcjclpcf.exeAgeolo32.exeAnogiicl.exeAqncedbp.exe

pid	Process
1492	Kfmepi32.exe
4428	Kpeiioac.exe
3444	Kmijbcpl.exe
1272	Kfankifm.exe
2352	Kpjcdn32.exe
3956	Kibgmdcn.exe
2316	Klqcioba.exe
3076	Leihbeib.exe
1068	Ldjhpl32.exe
2068	Ligqhc32.exe
3332	Ldleel32.exe
2340	Lenamdem.exe
4548	Ldoaklml.exe
2912	Lepncd32.exe
3092	Ldanqkki.exe
884	Lgokmgjm.exe
4248	Mgagbf32.exe
4308	Mmlpoqpg.exe
1832	Mgddhf32.exe
5020	Meiaib32.exe
1012	Melnob32.exe
568	Menjdbgj.exe
3172	Nilcjp32.exe
1412	Ncdgcf32.exe
2564	Nphhmj32.exe
1868	Neeqea32.exe
1916	Ndfqbhia.exe
1464	Nnneknob.exe
4688	Nfjjppmm.exe
2344	Odkjng32.exe
1468	Oncofm32.exe
4828	Opakbi32.exe
4572	Opdghh32.exe
2040	Ocbddc32.exe
3028	Ojllan32.exe
4808	Ocdqjceo.exe
3656	Ofcmfodb.exe
2200	Ojoign32.exe
3312	Ofeilobp.exe
4896	Pnlaml32.exe
2704	Pdfjifjo.exe
396	Pfhfan32.exe
2072	Pmannhhj.exe
3620	Pclgkb32.exe
2588	Pfjcgn32.exe
3720	Pdkcde32.exe
2892	Pflplnlg.exe
3368	Pncgmkmj.exe
3256	Pdmpje32.exe
3232	Pfolbmje.exe
4416	Pqdqof32.exe
2624	Pcbmka32.exe
4552	Pjmehkqk.exe
3988	Qdbiedpa.exe
4912	Qfcfml32.exe
1264	Qmmnjfnl.exe
648	Qqijje32.exe
4392	Qgcbgo32.exe
1828	Anmjcieo.exe
3844	Aqkgpedc.exe
2416	Acjclpcf.exe
4616	Ageolo32.exe
712	Anogiicl.exe
4932	Aqncedbp.exe

Drops file in System32 directory 64 IoCs

Processes:

Opdghh32.exePnlaml32.exePfolbmje.exeDeagdn32.exeKpjcdn32.exeLdleel32.exeLdoaklml.exeNfjjppmm.exeLeihbeib.exeOpakbi32.exePdfjifjo.exeAgeolo32.exeAfjlnk32.exeDfnjafap.exeKibgmdcn.exeLigqhc32.exeOcdqjceo.exeAcjclpcf.exeCfbkeh32.exeCalhnpgn.exeKpeiioac.exePfhfan32.exePjmehkqk.exeAglemn32.exeBagflcje.exeDgbdlf32.exeLgokmgjm.exeOdkjng32.exeQfcfml32.exeAmgapeea.exeCmgjgcgo.exeAndqdh32.exeKfankifm.exeOcbddc32.exeOfeilobp.exeQqijje32.exeMeiaib32.exeMelnob32.exeOncofm32.exeBcoenmao.exeCdfkolkf.exeNilcjp32.exeBnmcjg32.exeDejacond.exeDfpgffpm.exeQdbiedpa.exeAnmjcieo.exeAgglboim.exeAminee32.exeBgcknmop.exeMgagbf32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
5912	5832	WerFault.exe	196

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Accfbokl.exeDfnjafap.exeMelnob32.exePqdqof32.exeCfbkeh32.exeCnicfe32.exeNcdgcf32.exeBgehcmmm.exePdfjifjo.exeBapiabak.exeCdfkolkf.exeLdanqkki.exeBhhdil32.exeAcjclpcf.exeCalhnpgn.exeebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exeLgokmgjm.exeDejacond.exeQqijje32.exeAminee32.exePdkcde32.exeDhfajjoj.exeAmgapeea.exeCeqnmpfo.exeDfknkg32.exeOpakbi32.exeOfeilobp.exePcbmka32.exeLdoaklml.exeOjoign32.exeAnogiicl.exeKpjcdn32.exeNphhmj32.exeAfmhck32.exeBcebhoii.exeCagobalc.exeCmnpgb32.exeCdhhdlid.exeLdjhpl32.exePfhfan32.exePncgmkmj.exeAqncedbp.exeDfiafg32.exeDopigd32.exeDmllipeg.exeOncofm32.exePnlaml32.exePmannhhj.exePfjcgn32.exePjmehkqk.exeBgcknmop.exeBnmcjg32.exeBcoenmao.exeMeiaib32.exePfolbmje.exeOjllan32.exeKmijbcpl.exeNeeqea32.exeQfcfml32.exeAgglboim.exeBmngqdpj.exeDdonekbl.exeDeokon32.exeKlqcioba.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe

Modifies registry class 64 IoCs

Processes:

ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exeOdkjng32.exeOncofm32.exeOjllan32.exeBhhdil32.exeLenamdem.exeNdfqbhia.exePncgmkmj.exeBgcknmop.exeDdonekbl.exeLigqhc32.exeNnneknob.exeOjoign32.exeAgeolo32.exeDfiafg32.exeKlqcioba.exeMenjdbgj.exeAccfbokl.exeDfnjafap.exeKpjcdn32.exeNcdgcf32.exePqdqof32.exeDfpgffpm.exeAqppkd32.exeLdanqkki.exeNeeqea32.exeOfcmfodb.exePfhfan32.exePclgkb32.exePcbmka32.exeMgddhf32.exeAfmhck32.exeBcoenmao.exeCnicfe32.exeCdhhdlid.exeCmnpgb32.exeAgglboim.exeLdjhpl32.exeNphhmj32.exeOcdqjceo.exePfolbmje.exeQfcfml32.exeLdleel32.exeQqijje32.exeBapiabak.exeDmefhako.exeKmijbcpl.exeKfankifm.exePnlaml32.exeAcjclpcf.exeDeokon32.exeCalhnpgn.exeDgbdlf32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benlnbhb.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exeKfmepi32.exeKpeiioac.exeKmijbcpl.exeKfankifm.exeKpjcdn32.exeKibgmdcn.exeKlqcioba.exeLeihbeib.exeLdjhpl32.exeLigqhc32.exeLdleel32.exeLenamdem.exeLdoaklml.exeLepncd32.exeLdanqkki.exeLgokmgjm.exeMgagbf32.exeMmlpoqpg.exeMgddhf32.exeMeiaib32.exeMelnob32.exe

description	pid	Process	procid_target
PID 1496 wrote to memory of 1492	1496	ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe	82
PID 1496 wrote to memory of 1492	1496	ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe	82
PID 1496 wrote to memory of 1492	1496	ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe	82
PID 1492 wrote to memory of 4428	1492	Kfmepi32.exe	83
PID 1492 wrote to memory of 4428	1492	Kfmepi32.exe	83
PID 1492 wrote to memory of 4428	1492	Kfmepi32.exe	83
PID 4428 wrote to memory of 3444	4428	Kpeiioac.exe	84
PID 4428 wrote to memory of 3444	4428	Kpeiioac.exe	84
PID 4428 wrote to memory of 3444	4428	Kpeiioac.exe	84
PID 3444 wrote to memory of 1272	3444	Kmijbcpl.exe	85
PID 3444 wrote to memory of 1272	3444	Kmijbcpl.exe	85
PID 3444 wrote to memory of 1272	3444	Kmijbcpl.exe	85
PID 1272 wrote to memory of 2352	1272	Kfankifm.exe	86
PID 1272 wrote to memory of 2352	1272	Kfankifm.exe	86
PID 1272 wrote to memory of 2352	1272	Kfankifm.exe	86
PID 2352 wrote to memory of 3956	2352	Kpjcdn32.exe	87
PID 2352 wrote to memory of 3956	2352	Kpjcdn32.exe	87
PID 2352 wrote to memory of 3956	2352	Kpjcdn32.exe	87
PID 3956 wrote to memory of 2316	3956	Kibgmdcn.exe	88
PID 3956 wrote to memory of 2316	3956	Kibgmdcn.exe	88
PID 3956 wrote to memory of 2316	3956	Kibgmdcn.exe	88
PID 2316 wrote to memory of 3076	2316	Klqcioba.exe	89
PID 2316 wrote to memory of 3076	2316	Klqcioba.exe	89
PID 2316 wrote to memory of 3076	2316	Klqcioba.exe	89
PID 3076 wrote to memory of 1068	3076	Leihbeib.exe	90
PID 3076 wrote to memory of 1068	3076	Leihbeib.exe	90
PID 3076 wrote to memory of 1068	3076	Leihbeib.exe	90
PID 1068 wrote to memory of 2068	1068	Ldjhpl32.exe	91
PID 1068 wrote to memory of 2068	1068	Ldjhpl32.exe	91
PID 1068 wrote to memory of 2068	1068	Ldjhpl32.exe	91
PID 2068 wrote to memory of 3332	2068	Ligqhc32.exe	92
PID 2068 wrote to memory of 3332	2068	Ligqhc32.exe	92
PID 2068 wrote to memory of 3332	2068	Ligqhc32.exe	92
PID 3332 wrote to memory of 2340	3332	Ldleel32.exe	93
PID 3332 wrote to memory of 2340	3332	Ldleel32.exe	93
PID 3332 wrote to memory of 2340	3332	Ldleel32.exe	93
PID 2340 wrote to memory of 4548	2340	Lenamdem.exe	94
PID 2340 wrote to memory of 4548	2340	Lenamdem.exe	94
PID 2340 wrote to memory of 4548	2340	Lenamdem.exe	94
PID 4548 wrote to memory of 2912	4548	Ldoaklml.exe	95
PID 4548 wrote to memory of 2912	4548	Ldoaklml.exe	95
PID 4548 wrote to memory of 2912	4548	Ldoaklml.exe	95
PID 2912 wrote to memory of 3092	2912	Lepncd32.exe	96
PID 2912 wrote to memory of 3092	2912	Lepncd32.exe	96
PID 2912 wrote to memory of 3092	2912	Lepncd32.exe	96
PID 3092 wrote to memory of 884	3092	Ldanqkki.exe	97
PID 3092 wrote to memory of 884	3092	Ldanqkki.exe	97
PID 3092 wrote to memory of 884	3092	Ldanqkki.exe	97
PID 884 wrote to memory of 4248	884	Lgokmgjm.exe	98
PID 884 wrote to memory of 4248	884	Lgokmgjm.exe	98
PID 884 wrote to memory of 4248	884	Lgokmgjm.exe	98
PID 4248 wrote to memory of 4308	4248	Mgagbf32.exe	99
PID 4248 wrote to memory of 4308	4248	Mgagbf32.exe	99
PID 4248 wrote to memory of 4308	4248	Mgagbf32.exe	99
PID 4308 wrote to memory of 1832	4308	Mmlpoqpg.exe	100
PID 4308 wrote to memory of 1832	4308	Mmlpoqpg.exe	100
PID 4308 wrote to memory of 1832	4308	Mmlpoqpg.exe	100
PID 1832 wrote to memory of 5020	1832	Mgddhf32.exe	101
PID 1832 wrote to memory of 5020	1832	Mgddhf32.exe	101
PID 1832 wrote to memory of 5020	1832	Mgddhf32.exe	101
PID 5020 wrote to memory of 1012	5020	Meiaib32.exe	102
PID 5020 wrote to memory of 1012	5020	Meiaib32.exe	102
PID 5020 wrote to memory of 1012	5020	Meiaib32.exe	102
PID 1012 wrote to memory of 568	1012	Melnob32.exe	103

C:\Users\Admin\AppData\Local\Temp\ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe
"C:\Users\Admin\AppData\Local\Temp\ebc9d1cb5e210cd2de4b08bb56539a30691534ca1f9fe095389721bbe38a3f52.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\Kfmepi32.exe
  C:\Windows\system32\Kfmepi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\Kpeiioac.exe
    C:\Windows\system32\Kpeiioac.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\Kmijbcpl.exe
      C:\Windows\system32\Kmijbcpl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        48⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        50⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        59⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        61⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        67⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        68⤵
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1680
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3924
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        76⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        77⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        87⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        93⤵
        
        PID:428
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:208
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 396
        113⤵
        Program crash
        
        PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5832 -ip 5832
1⤵
PID:5888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
337KB

MD5
bb9e2dbeccdc02294616f3a9d6cedcf0

SHA1
b905e4a4033cc3a966d2a0761efe1cc8b31b1e0c

SHA256
4ccc66d5fd6ff46abb601bcaad03d8e0291991a310c1293264a4997900e413a0

SHA512
d61e811df9b0e6be2ee6bebfa63e9325429a83cd1d2f08d391a951b409cd697b8b70eee727bcbd796e3a9d5d448cf472c10f08ddc1ccbb7a87ea6140e015ee5b

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
337KB

MD5
d49e9c30c3f29737a5da9ba809e1af59

SHA1
9db177836b69029ec02e5c716ae919d96fab63ed

SHA256
675417de0d804a28798ebee672fda7ee806a0ed18e889818529b3460563b666e

SHA512
ed92b29344bfdbb681c78e60e3500c89db872ce302eace74f617fb9ca29512f89c5c251c9ad3491126f34a6c1fdc54e4c02ad85a6f4e2692cf34cf3a635fd612

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
337KB

MD5
b8261fa5a90856676b99dd5df21f451b

SHA1
bb3fdf4c39ba3bbb79f607c06a2b136b4e637963

SHA256
5f003125777bdd2c876f958f91293f7606daadf6a301cfe9cd2c4b634adf4f91

SHA512
aa89518088d0c7ada58af8184105056a19b772039defcb63157bc266aca31895902c00f6e60dc5aa2b0cccd458592bed708c07d868e01538352bba7a73511758

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
337KB

MD5
e042cb995e1f13cbd8e5fd29af32ba74

SHA1
c2e9d5d860edf47896ca836258929c32095381c9

SHA256
37a8e83e2a7b199e3d2c6b6f0ff91fa61954bf57b2888d33bc52297c18a762c1

SHA512
62aa2a4e1ebf8a1a631d91ff10acf05523eb54be96189dde63535836836bd973887a7a8145a4ba4cc05afead4d03ad0d6ab0b132b7876cb94eb12b23a9fb2bbf

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
337KB

MD5
4734071923d7b10e8a80816516452933

SHA1
1bbbe417eb8dc9dee64fd0155b613099f2371a82

SHA256
33bfff4df14df931410c41caf859c5e3e98b3fbdd93b16b59466c5977d7167f3

SHA512
c682f27e557e520d9544f6e605b651a3d5bd5344ce46dfb70dafc7660d811fe8e5d15ebb88223baf0e2924a4aa2cf21340f6f36cbce98830afe01c99ebc3c8ec

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
337KB

MD5
e8d14325b38aa88cca20ff52f07882bc

SHA1
d50607a30f9ee50cdbe8f833a1151e84623055c6

SHA256
899c36e2c42265e34ed52c52a18a3d4cb7448e05a956a21c5002ddcc4e4e01fe

SHA512
ee5352104a6388f1d9e761189e60cefddb6342c0ad499a0ffed5a73fcdb009d487c31e2767f4f88f90379d521dc33f78431d8954f546c0f784af78f6484ba1dc

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
337KB

MD5
c910a77dba9253c2ceec0c3df9e1f86f

SHA1
d164b2195e2ea8c9474cfff8fccf4fce8badde93

SHA256
ad8d70783fb49e56bb08770feb1b6afc80bd825ebbc6f784dd2f6f64408e0129

SHA512
221b46a008619b68a766d36626e59ef317a7a85b5b9bc94c354257f5b70833b3625ad5d4ed1b83af6bc55716bfe52b0101c70eb0696e99d65bdb7a8c04c4edb5

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
337KB

MD5
9578161726402c29c51621e1dbd2cf89

SHA1
2bb91baf29450b5a2ba4ebb76f02159e9ae0aebb

SHA256
daede9de4cce8362591c87dbd4b95f1a9380824b9c6a6d7b97da3f0b132793ca

SHA512
58dbcfc1701603a9e4e222fc6caca7f2093b1d59be4f1a3a261acaa21217b301f720a07c8d7a32b120479db8d24dfee4a810dc34f219f6c98b5f0a2235cff14f

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
337KB

MD5
48a887d70cfd1888119cb2b40ddda9ad

SHA1
57a65325b9763081deeb1565d13af79bcec00c52

SHA256
8d620e4bcf394c8e12a1a884b91ccc2a4ea53fd9a0adca59b94b249886f8cdda

SHA512
0001b6067f6bdc72225dd9259f2ac626ddddff772f89d5c5a20be5b0c189ced142f51c5890d2a5fa88c94641e6286544ff470199b776e912ac428b5b7399ad96

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
337KB

MD5
25d0754817eb9aa436985bca02d25e20

SHA1
dc0dfef007a2692c54869c674be1e5335ea38167

SHA256
3bf8b91a9efcbc12f06599dad5f9d2d56b3551a6000f504506940230bab5a2b5

SHA512
e0c8e048755e9c34c8667e1471cbe71ae14a8bfbf6006872ae00c6941b26680c2bc2120590b77b818bef6baa208379e3d7be5b1a101aa1dd7e7279cc34b1a820

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
337KB

MD5
7b0e90d1fd81f1dac5d99ed87a4b59ad

SHA1
ed41cfd5168f98d1ce26870160b1cd44c49dd23d

SHA256
9d442650c286c215694f590c8745ebae3f1f0fd3bf52d958908502bd45effdb6

SHA512
99676960504c6191712b3275f2378ca1eb65393615dc9ad304026ee8e02267151db432133ce11b15e98b675c3955a7c9b278e66c461a4c437dcf685009b980e9

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
337KB

MD5
6047c1b5f0ff5eb650bbcb956737c703

SHA1
d6664ea8d534844e1ab49a9b648a1f8ba08ffa7e

SHA256
fb4f78aee0f135238305c4c95b266195f4a1bbafbb9092dd7e267c2421f0c168

SHA512
cef5a76df07b1ec7824062b9334af5d65ac8d500019ef049363599ab0b2c95b1c2e95c2fd24efd8d489ccf43d4b2f33e63d35341d60467ee2089b61f4960e632

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
337KB

MD5
d34fee8b24f1c6d6b5e01c4f9f65c6d1

SHA1
2c2c6b5cf211300dbdf0f15ca25849e10e3c15f3

SHA256
2520ac384a0b4c85c52558cabf602d0f14cf93ba00e7e8e15c923d10b1ad1f0a

SHA512
64ac598239ce058df51a573b8ee49307c75f7d295f3011be6ee7e859aeed2f5f66d3c014ca0806237ec2c2ece8f1229a4e8f871fa43b24bc3844ec896cad25e8

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
337KB

MD5
b6aa79a6620ed94c2f90fa6cdf82b64c

SHA1
95661335d3cb693cce3e6e0cca500f256cc95e30

SHA256
ac514a733085eb451c7a594ba3483198d2ead55ab6919127b0a6aa23ef6291aa

SHA512
efed46a182c867e7c01ef705faaa3b36dd031c3c168e92727b4a0ab25c51ece0c503eb6ae449ce1c4789efeaef1d447c9ca90b8facc6a62df0bb999e816d7fe6

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
337KB

MD5
9051b0264647b0eff5d191439c4e1c19

SHA1
a03d626ff145102dd07b3ea835523c6ecd09549c

SHA256
c57a0d00d562b03ae26f1c84c0e2942e911693dfe22f06134ff29185d8a57c91

SHA512
4197672bf1c8d671a555bf958651356be27c85d7299dcba6813f931d71d4fbc6bb2757d543d84d94cb0d55d67c82ed40c4d324cc36012e2dfe52f5b38e80a1e1

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
337KB

MD5
eb8e7f8ab04052c642e0683094c136c6

SHA1
2f9532e9da31a10a097450759bbf87701ce5fd1f

SHA256
2317a676477afcb3075d4ad50d2db4f5e61bfba98b661b3cf1fac67ccad6164b

SHA512
e04c1d42cb6d60e752f750afe5d01d0390259614f0ea78cbb6a2d6e0d7082f05112f6dd0326695e8e16a7c8c8671980018410349f423c018de51d2605dd11086

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
337KB

MD5
97bc7d5d6e7b9163686683fc72dd5d1e

SHA1
037607e531c661450b195e2acb2d3ce95dbc652f

SHA256
b593c53fce1e741a3fa24482102611a7a2dd0d838dcc5cdaf5b18a34252b5a30

SHA512
151cd3b545f1d1206c197fe672132e50dcc7a93e700ed36405200e401da4567dd8442a80b3d9f59ee30d55e046988d82a083564abe1b258f60cc2892b5800bfd

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
337KB

MD5
165c960cb84444c31d3e5aeed7165f44

SHA1
a5208c87afac8fa30b9350ee6343df2f4d9f1cc4

SHA256
cf6387aacb17fcd5ad53557d8e45150b294752aba26e197519cef865e6d5a518

SHA512
bc812daf14bcb13f34e8304b6b4d0cbb846ee534d79c44b27c4f9c737d4e286de75feb99d8723ee0ad1a48df18d68659494d64c20245c9a9763fda960ae6967a

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
337KB

MD5
6dd29d0383457f5fcef8ce104a4e85ec

SHA1
54a589b48c42948833f90514c60a014e02ef90a2

SHA256
763ca6aef24a9021fce324b3818e41762a1652c1bcd4e5cdf21349e20a461d06

SHA512
22b53033ad8218b68da5196599d4094c1a8d3de9d6f59a1a9d17d1f7e9153b0efc5888884225f73eadb4bde62d36ca2db9c225ab20325c1fc3e36474cdae2cb6

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
337KB

MD5
2b31bd0abb4ce1c5c11f449df91e9b36

SHA1
c2d874cef048d4a77f5350adec71a6873c43c7c2

SHA256
0b0b411564036f9470ac7f62840c09945edfc4e5ae8a8300897d6b8327725fa5

SHA512
ad8057460075fc0441177188635bbce47af2f48f123f789d366789eeee83724979965a35eaa04b011821a664a1893b0f6cb82d1921d24744c20497e7458bf344

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
337KB

MD5
a35c27b6c102dd3bf06e9c9bac37ad7e

SHA1
1c3b92e35d38e05a02d3167f7100f4bc2f8be0bc

SHA256
938047aaf662993cd6cb8240b0594fc8d303e368423052e8735c08e2582ff2af

SHA512
16d7cdeaa268640dd59781330634ad377d22251b597d77e31e7be6ee113bee16b7f4e3f8e0cc1e95d916b4fcd3c267d5671f9c2ccb8a3feacde0779baf61c9ac

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
337KB

MD5
ac0c236eaf9f26ad16628e57322f3fe1

SHA1
4183e2a2e37f8c9d1351ea6ba67a6e5f5bc3a7db

SHA256
61d4d28e64a5d6bd97c31ec34b87b60ca27da1fa72762159b9dc46a9fd76ddaa

SHA512
4bbbeeb674dd5fbaead09ba3c5d2e60a26a086333f20cabec7ec03657aee5c30ccf70421f080717710c25a6fe171a2578c2fd0b0ef0a91d0b2dea4b661a25192

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
337KB

MD5
26992560d1f0edc8e16d0d0ce4b6ea8e

SHA1
ce6d29a869c1ed365710c53338446ea7addd8076

SHA256
6e151f0e15b5b616596c2ab3de1c132bb1c3f8391279e8349907f06415bca759

SHA512
23fb2ec2556fca11578b22348241d6ab9c6a64d0fc7d94c31919c8e9d8cec87352ae7e5ec8d7670ecd74b22f4df5b93954bb4ff6cee86f13c3d92acaa141bbcd

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
337KB

MD5
71fb88699da9d3d38493f762be4282fe

SHA1
dafc58b39aacd4148cd20edcd754d891fd62918e

SHA256
0fa6309b2e2b64da80842f9d34b1eb0a0252c94269090ae812e3dcc0a371aadf

SHA512
fb0f32e52098e850fa0be294b3802755b26edae3dfd6731edeca7eef2351b4a0c4b3602d7e6f1874117b4f2cb6c221327cace4fef7031ea34a97c7d48f4f8289

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
337KB

MD5
1a09f747af5add12328f43f85f160d64

SHA1
273f4f82d8c2d74a1a19451e337c92dd3fa86e24

SHA256
3d6a19959863b978c6cce0128635cd82fd8c29927a14336f228e88a62ec8d0b1

SHA512
9225a169c6a987c89745bbdbd6bd8c04337be09fdacc97e5fe131cd7966cfd881b95eef1bf9ce94872d931fd65f2da7698192ffcd0b0c03fc26be654339d63cf

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
337KB

MD5
c35a34b522a9e35934ab15cf57dcf544

SHA1
5808b49eb7da25842585fd95d93208810f9fe59f

SHA256
7020ce25dec582cce8570314377a71febb4892df12baffd5a899583f53935214

SHA512
ea124992d35197bf0cdf5a442b7f70ea4c15335d27ceefbd3b6fff493e61b5a57e89ff6b7169d3b234e914682ff9a41a824520c4d97145d0e1d873b544b834e0

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
337KB

MD5
bc6dab41e2316e4e7411342c3b33bfab

SHA1
88432909fc1f4bc5e39825d0475d04ad80e18b9c

SHA256
e562e7f07f11cb2122c24c2951060280822caf129e7fd0dbc09d3630a33f8390

SHA512
77ca13779d23e63c1cc09cd3778212fe515c254409dabcfd27842febf5c977fc8951711f43ab190dd62bdfb2750338b42b0a4eccb376e33651cec736f0cec52e

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
337KB

MD5
5ce6c46ea8e1f8ae63a4f3e28efcd50b

SHA1
51451c95883da75ecbc135b22aae4df0fbc04c87

SHA256
ef9fb5c6e3f42f6b191631e5f2a540c95f05efd27a938088a43ce7bca1170168

SHA512
48569797802af7b03de6918a135a5ba92671f3b474db0471a9db421b5a57e1fa3302b1651533628909fe17e43167e4e522f0fcd8b71a1e2f770d7b7287547949

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
337KB

MD5
b53fcfb50ef5fcb05b0f5639a4037283

SHA1
ef3e2cc57c475b9041dec29110c1e29a8e082c0f

SHA256
d2741ae4c1ea72ef1c2bac1094c32783ecc6b3492e8911b13da9a190febc7825

SHA512
1e8b3544e441d295e4322923d1a28273501cea95d9f55f0a3b76973fb8aab75e85f938b265b493ae3423be0660558dfe239dc5b30fe670a6ff98db767f5f2e73

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
337KB

MD5
af44c6f9f116f26a2786098766cf1b6f

SHA1
6c4514ff58623586ccbd7940d7770272c7ca4a26

SHA256
a489c687a8af30d281b7cf908bc08dab840a790a6a42240078c310d47ba8ef35

SHA512
bf13fdac9c3fc50315f7ccef95c152bdf0a578a4ef2f599013bac225fd289bb2a5d5a0326bc35c3114403e9446936b725df2a79028d64fe88870c7fbb885d79e

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
337KB

MD5
2d6932866d6aa9a7ec53a790cf5a375e

SHA1
6ca5d2d44216375030141190a72989d6758dc4f9

SHA256
30d2975170a300b2cc0003e124f96ceecc6cbe74209f45529d4669015fb3a043

SHA512
f9f6bcae11788d489823154461660f5b1278c4507f824c588007c422c67f08ea59bd0d845a78bb0d595c0a64aafccb3c53effe2220d64def649bb88be6e8acaa

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
337KB

MD5
66f98ce195ac2c339bfa180024199f9e

SHA1
14132067a4229703ac2bf53ace41599ae847ddf0

SHA256
8fadadc962e710973aa52ec67b9301c7f7e5540b0223096d5484bdba835cc921

SHA512
9ec2f8a8c1c3d15717b1ab9c6a2359e187bdeb737d4640b1f714ee33f286c225829b5882be4ecb5fca59fb727de517e952de2af403aa55868500679d989ccf13

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
337KB

MD5
f4472178e472be6e07d3c60ea2375ac7

SHA1
d267ef806819769ca2114804444658a91bb0c945

SHA256
6ca691824f450107689ffb045cd6191d49d8df6b0d852dbca4e0f35f1bbcdaf0

SHA512
253479eee95bc59c95e4eb22d1a68698a4b0412ad09b50a9f94db05b2518ef81612430d758db10f8458dbf0450bab4f57e1014f7fcb25da35e68cc9198090f45

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
337KB

MD5
0d1f023cb0f660145ab12ae0d9b044d9

SHA1
bc26d0d8607468d7cf8d9026c0e129e09a98917c

SHA256
1d60fa8559fa20d4b3b34c0fb700bccead1d9d731ad35ea50aa4c1b416d762aa

SHA512
2d5f90c3f8f05b3b34f143d614e14fd7317982c477b77b70a18df346e0cba177abe1cdac9c930494535fce1341e3d2b993c5772a26abb23f7d1c3ba43e092e71

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
337KB

MD5
630ae766b30a5d52fee413b7ff7ff45c

SHA1
53aa8da6213854d1b44235e182e337ed481a4322

SHA256
ace4238e73e9bc88959b3111ec95004fac66c3526bb680b0fcab06eaf89b2b58

SHA512
1f89d1d955163635e7df0f5d7e17681f9d72a3f17804511195a38a7f0f02bd2dd6587f95d976699bd4c2e2501f3f30963ffb680b556b1777cb032b05e611d0b8

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
337KB

MD5
30dc8032f76b63189e37724243211bde

SHA1
f7ee2c6eae4cb3492d724ab321788e8d71ddff40

SHA256
4b646d637f06860951c4a46168128990307ef19fd4720123a849bb83adef94f4

SHA512
b7bfaf63148357b29b45c1f0b8941b11659c68a505ad9b5489b7a2a0b2f592995fe30c35ecf576936bd0f0614ec401a9cf22159837f35b97daa4a155035a5191

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
337KB

MD5
d0c62849b93594828359f4d256a5a5fd

SHA1
534766149e6b3eb53f1a2a788e1dea6b491a5144

SHA256
d66bcabec3625fa62a4fc29bc9c6fad721702aa20f5b2b1dc89e236d19331d79

SHA512
30cc0354e118fd21c23d1a3defbd0f4b28f72eee0a903058a01d1b666c6c7e3f5a67cceadc9c4d9dc47608490bb1276c012ef8bb04f25ebd088191af1fb8075b

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
337KB

MD5
fe417edb4bbe90b35380e3bca9eeabed

SHA1
d4f4f4d20688f8cec54839f2ae1d8d653909307b

SHA256
1b10b4734560388e35ed1a910389a60171ff8d2ad8a6233fb685eec0ce09db69

SHA512
15136320579c27949e0cb76d0f84d1a24a3df94303c8c288d4aad874e344ca0cc948b4e561b53e719beb24ab53edfe11048c3ab88273da9a799753c0bde524fb

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
64KB

MD5
a1fe0015d85c37eb3e8cf74462392517

SHA1
3796a01f5620af07acaf6fe24919f48a2a49f78e

SHA256
96765043bb3d45b5e805669993237d5010cdd55f690a2391ace428c8d96bc3cf

SHA512
ce0ce4bac430711c69be531c9676354324675b34189333b7d3c28e039d25c0ee53ad18a23d64b5124a8865df7c20dd0d379c86f2456107edc3e69c66707243ce

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
337KB

MD5
a861afa6e110411302f7d73a993c8242

SHA1
e80b6031d25521d9097ac2a0a6b0ab43794360c2

SHA256
d6c49da94e4fdd122041ff0344eef2a5e86f3e0fe4dc7b4a6ac31bab331e6e12

SHA512
8246141e7d8ba160358f6640f26297706b05736e2aa9088d446d39658296e0c8bfb004582dac00d185229862938d0b03e17068901d1eb72bd5e7774dc34a44cb

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
337KB

MD5
ac636034ffe10084cf89adbe27d7b4a2

SHA1
36f2b5b3be517bca00f8a0dd62d86c45779327df

SHA256
c59b00a6a48aac4637e7a98ad3c8ce3ccd745ec1be6bdf9014903f52addef2fe

SHA512
9d4b0648e8552b624bef28d52fbf8cd1060722e45e65b58b9c77ff6462492681427c392b26f249ce37ed4f975fdc1dd366394663a23ac27611b2c99fadff87ef

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
337KB

MD5
6c8e5aef5fe493ec8ecdd6eab3a33404

SHA1
b270f2d565974e2d1d3af91c8ce37c206428d5a8

SHA256
52029de9d6ad6f8339fa859c500ec46483fb6eedd8458cce0bcde29105398baf

SHA512
3bf85e5247bbeffb78e2af0c4721c87a1052629a84f3f0cdaec640efe6ef427e4f99cbee74adb07b95c579e612c7eae206914ec2b7a528b0bd1814e06d03e93e

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
337KB

MD5
4b6332256ec7db002727a6200c2d46d2

SHA1
e7a80109f9748159e945e476a5557452f852cc32

SHA256
ee56af46645f31e6bc3ea5931308c7007a98fe9a63a54dbee895ef307571d9fd

SHA512
f650f368e86cb7da1a69e1dacd0d48adc43bf8f87dcf95e8ee2d93a8d9bf5a93c8ab05943ece0198789bf3c3b75dded1fbd236f83c9796c031e9a274940b33ec

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
337KB

MD5
e1101979988f7e18f4637aa968a438b4

SHA1
ea6b63dc23d565b49ffbde30440b65de813dca2b

SHA256
d8c4ce79db1ad1fe49d54db4df8df0995fa4fe769d9e209d1e2e1d90ba2141cb

SHA512
e72cef7aae6135dc615cb23ef3c4caa9523b6eb1ca9c31a8b0a45e4caff94298e6e9b9e972c5fec6a08aba4c010695c17ceafd668ababc29abea762582d988fe

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
64KB

MD5
ba2e7fadf55f215fca27860989a5613c

SHA1
5e39fcd9607049c3d38ab0fc63a2e4d13eed92a7

SHA256
0dc27279b40e2bf5abea1c8a89946e16220d0624a7abd4ef7332f9017dc3228f

SHA512
5c287abec2b79016fe12ad6c66eee2b3efa64d7fd23b3ad93e3f3405d7c59649efe684ab843175544fddaee34fdef36feace4137cf7658ad3d744a807fd42708

Download Submit
memory/396-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1652-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-832-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-794-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-831-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-795-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-788-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5604-772-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5700-768-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download